On 10/08/17 19:35, Jeremy Rowley wrote: > This is interesting. We had one Sub CA who mis-issued some pre-certs but > then never issued an actual certificate tied to the pre-certificate. There > was a previous Mozilla discussion (link coming) where mis-issuance of a > pre-certificate was akin to mis-issuance of the certificate itself. The > pre-certificates were later revoked at our request. If no actual > certificate issued, the pre-cert falls out of scope of the BRs right? Since > it can't be used for actual server transactions thanks to the poison > extensions? Obviously they still fall within the Mozilla policy as they > contain serverAuth in the EKU. However, should they be reported as issues > and should they be revoked in accordance with the BR?
I'm having trouble disentangling your questions from each other :-) But yes, our position (and that of the CT RFC) is that "mis-issuance of a pre-certificate is equivalent to mis-issuance of the certificate itself", and therefore should be reported and dealt with just as if a cert was mis-issued. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
